About this policy

This policy gives security researchers clear guidelines and a point of contact to report their research findings if they believe they have found a potential security vulnerability within the systems, services or products of the Australian Competition and Consumer Commission (the agency or ACCC).

The security of our systems and the data we hold is a critical priority for the agency. We take every effort to keep our ICT systems secure. Despite our efforts, there may still be vulnerabilities.

This policy allows security researchers to responsibly share their findings with the ACCC. If you think you have found a potential vulnerability in one of our ICT systems, services, or products, you can report the vulnerability to us.

What this policy covers

  • Products or services wholly owned by the agency to which you have lawful access

What this policy doesn’t cover

  • Clickjacking
  • Social engineering or phishing
  • Weak or insecure SSL ciphers and certificates
  • Denial of service (DoS or DDoS) attacks
  • Posting, transmitting, uploading, linking to, or sending any malware
  • Physical attacks
  • Attempts to modify or destroy data
  • Attempts to extract or exfiltrate sensitive data
  • Any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

Responsible security research

We allow responsible security research on our products and services to which you have authorised access.

Any responsible security research on our products and services must be undertaken under Australian law, and not compromise or exploit the ACCC’s data, employees, infrastructure, operations, and activities.

The agency will act in good faith with parties who report potential security vulnerabilities and will do our best to address each issue in a timely fashion.

To encourage responsible reporting, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability.

Report a security vulnerability

You can responsibly report potential security vulnerabilities to the ACCC Information Security Team by emailing vulnerabilitydisclosure@accc.gov.au .

We ask that you include details of the potential security vulnerability with enough information to allow the Security Team to reproduce your steps.

Provide as much information as possible, such as:

  • an explanation of the potential security vulnerability
  • a list of products and services that may be affected (where possible)
  • steps to reproduce the vulnerability
  • proof-of-concept code (where applicable)
  • your contact information.

After you make a report

We will confirm receipt of your report and outline any remedial action we propose to take to address the security vulnerability .

Subject to any regulatory and legal requirements, all reports will be kept strictly confidential, including the details of the potential security vulnerability as well as the identity of all researchers involved in reporting it.

We ask that you maintain confidentiality until we have remediated or mitigated the potential security vulnerability. Public disclosure of any potential security vulnerability is not permitted without our express written consent.

As an Australian Government agency, we can’t compensate individuals or organisations for finding potential or confirmed security vulnerabilities.

Is this page useful?